Oboron

String in, string out symmetric encryption

Protocol Specification CLI Specification

Oboron is a string in, string out symmetric encryption protocol — the enc operation takes a plaintext string and returns an obtext string; dec reverses it. Encryption and encoding are combined into one seamless process across all language implementations.

Specifications

Document	Description
Protocol Specification	formats, algorithms, key management, properties, API
CLI Specification	`ob` and `obz` command-line interface

Features

String in, string out — enc and dec are the only operations you need; no manual encoding/decoding steps
Consistent scheme naming — cryptographic primitives named by tier + property + algorithm (e.g., aasv = Authenticated + Avalanche + SiV), making cryptographic choices accessible without deep expertise
Unified key management — a single 512-bit master key works across all schemes with deterministic subkey extraction; no manual key decoding from environment variables
Prefix-focused entropy — high initial entropy enables Git-like referenceable short prefixes
Cross-language interoperability — all implementations produce identical outputs for the same inputs
Performance optimized — reference implementation benchmarks on short strings show performance roughly comparable with SHA256 on same input

More details:

Properties: prefix entropy, deterministic injectivity, performance and output length comparisons
Obtext Lengths: complete obtext length tables for all formats and encodings.

Quick Start

Install:

cargo install oboron

pip install oboron

go get oboron.org/go/oboron

Generate your 128-character hex key (512 bits):

from the terminal:

cargo run --bin keygen

or in your code:

let key = oboron::generate_key();

from the terminal:

python -m oboron.keygen

or in your code:

key = oboron.generate_key()

from the terminal:

go run oboron.org/go/cmd/keygen

or in your code:

key := oboron.GenerateKey()

Save the key as an environment variable, then use e.g., AasvC32 (a secure scheme, 256-bit encrypted with AES-SIV, encoded using Crockford's base32 variant) for enc/dec:

use oboron::AasvC32;

let key = env::var("OBORON_KEY")?;
let ob = AasvC32::new(&key)?;

let ot = ob.enc("hello, world")?;
let pt2 = ob.dec(&ot)?;

println!("obtext: {}", ot);
// "obtext: cbv74r1m7a7cf8n6gzdy..."

assert_eq!(pt2, "hello, world");

import os
from oboron import AasvC32

key = os.getenv("OBORON_KEY")
ob = AasvC32(key)

ot = ob.enc("hello, world")
pt2 = ob.dec(ot)

print(f"obtext: {ot}")
# "obtext: cbv74r1m7a7cf8n6gzdy..."

assert pt2 == "hello, world"

import (
    "fmt"
    "os"

    "oboron.org/go/oboron"
)

key := os.Getenv("OBORON_KEY")
ob, _ := oboron.NewAasvC32(key)

ot, _ := ob.Enc("hello, world")
pt2, _ := ob.Dec(ot)

fmt.Printf("obtext: %s\n", ot)
// "obtext: cbv74r1m7a7cf8n6gzdy..."

// pt2 == "hello, world"

All implementations produce identical obtext for the same key and plaintext.

Why a CLI Specification?

The CLI Specification presents a standardized CLI interface enabling cross-language conformance testing: any implementation (Rust, Python, Go, etc.) can run the existing standard testing suite — ob-cli-tests crate in the reference implementation repo (gitlab.com/oboron/oboron-rs) — through a shared CLI contract, verifying that each implementation produces identical outputs.

Thus, by implementing the standard CLI interface, implementers can validate their implementation using the language-agnostic reference testing suite.

Applications

Oboron's combination of properties — particularly prefix entropy, compactness, and deterministic injectivity — enables specialized use cases beyond general-purpose encryption:

Git-like short IDs — high-entropy prefixes for unique references
URL-friendly state tokens — encrypt web application state into compact URLs
No-lookup captcha systems — server issues encrypted challenge, verifies without database lookup
Database ID obfuscation — hide sequential IDs while maintaining reversibility
Compact authentication tokens — efficient alternative to JWT for simple use cases

Comparison with Alternatives

Use Case	Traditional Solution	Oboron Approach
Short unique IDs	UUIDv4 (36 chars)	`ob:aasv.c32` (34-47 chars, reversible)
URL parameters	JWT (150+ chars)	`ob:aasv.b64` (4.5x smaller, 4x faster)
Database ID masking	Hashids (not secure)	Proper encryption

Implementations

Rust: — reference implementation (GitLab: oboron/oboron-rs)
- Core library: oboron crate
- CLI: oboron-cli crate (ob and obz binaries)
Python: (GitLab: oboron/oboron-rs/oboron-py)
- Python bindings for core library: PyPI: oboron
- CLI: PyPI: oboron-cli
Go: (oboron.org/go module)
- Library: oboron.org/go/oboron
- CLI: go install oboron.org/go/cmd/ob@latest (also obz, obcrypt)

License

The documentation and standards on this website are licensed under the MIT License.

MIT License · https://oboron.org/